GET /tutorial-malware.php HTTP/2.0 | |
User-Agent: | Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com) |
X-Forwarded-Proto: | https |
Accept-Encoding: | gzip, br |
Accept: | */* |
Referer: | http://fotoforensics.com/tutorial-malware.php |
Host: | fotoforensics.com |
Content-Length: | |
Content-Type: |
5-Apr-2010 11:33 am from Windstream
Change to this service being applied tonight
We will be making a change to this service tonight based on feedback from our customers who wish to continue to use Google for the search box. We apologize for any inconvenience this may have caused.
Significance | Explanation |
---|---|
Compromised data | If the investigator identifies malware on a suspect's hard drive or data files, then the question becomes: where did the malware come from? Or more specifically: Did the investigator's computer infect the suspect's data, or was the data already infected? Any changes by the investigator's system to the source data prior to analysis is tantamount to evidence tampering and calls into question the data integrity as well as the chain of custody. |
Compromised results | Some malware is designed to alter documents. This is usually part of a viral infection, but can also include adware. Having unknown text added to an official report compromises the integrity of the report. |
Compromised privacy | Spyware and network interception could result in the unintentional disclosure of sensitive information. |
Altered data | Many legal cases rely on snapshots of web sites as evidence. In effect, they show the jury what the web site looked like at a specific time. If malware or an intercepting network provider alters the data, then the evidence does not represent what the web content actually looked like. |
Suppressed evidence | Evidence can be used to convict or exhonerate a defendant. If the legal counsel can identify that an investigator used a compromised system, then they could potentially have all evidence and results from the investigator excluded from the court proceedings. Without the proper evidence, a guilty person may walk free, or an innocent person may be found guilty. |
Impacted cases | Because viruses, worms, and trojans spread among computers, a single infected system in a forensic department could result in compromises to dozens or hundreds of legal cases. |
Detection | Explanation |
---|---|
Unexpected cookies | With HTTP, the web server can issue a cookie to the web browser, and the browser is expected to return the cookie to the server. Cookies provide a simple solution for session maintenance. According to the protocol, the browser will only return cookies to the site that issued them. On your computer, each cookie is associated with a specific domain. This is how your browser knows which cookies get sent to the which servers.
Infected systems and hijacked network connections can result in cookies from one domain being sent to a different domain. This causes the web server to receive an unexpected cookie: a cookie that was never issued by the web server. An unexpected cookie is a clear indicator of something odd: you are either infected with some kind of malware, or your network connection is being hijacked. The public FotoForensics server does not use cookies, so your browser should never provide cookies to this server. For FotoForensics login management, such as at FotoForensics Lab, we use one cookie that manages the login session. Any other cookies received by this server are unexpected and an indicator of infection or hijacking. |
Know-bad cookies | Cookies contain "field=value" sets of data. Some unexpected cookies have fields that identify known adware or spyware. This includes malware from Linkbolic, AdvMaker, AddThis, and Clkmon. |
User-agent strings | Your web browser transmits a user-agent string that identifies some of the browser's capabilities. Some malware, adware, and spyware adds their capabilities to this string. This include spyware-toolbars (like Alexa, Dealio, and Hotbar), adware (e.g., SIMBAR and Zango), and other forms of known malware (e.g., iBryte and WebMoney Advisor). |
Unsafe browsers | Some web browsers act as trojans. While they permit surfing the web, they also insert ads or report online activities to remote companies. As an example from 2014, The Register reported that the Chinese 'Sogou Explorer' browser sends online activity information to third-parties (spyware). At FotoForensics, we found that most Sogou Explorer browsers are also infected with iBryte adware. (And if the browser is this infected, then how compromised is the entire computer?) |
Ad blockers |
Ad blockers are beneficial and can protect your system from malvertisements -- hostile advertisements that use malware.
This tutorial tests for the presence of common web browser ad blockers. The test uses a pseudo-ad that is detected and blocked by general-purpose ad blockers, such as AdBlock Plus, uBlock Origin, and Adguard AdBlocker. Other ad blockers, such as Privacy Badger, are not detected by this test. |
Risky plugins |
Plug-ins, Add-ons, and Extensions provide additional functionality to your web browser. However, these modules may also expose your browser to exploitable vulnerabilities. This includes Oracle's Java, Adobe's Flash, Microsoft's Silverlight, and Cisco's WebEx. Malware and malvertisements often exploit these vulnerabilities, infecting browsers and computers.
This tutorial tests for the presence of common plugins that pose a high risk, such as having a large number of known exploits. For example, Java, Flash, and Silverlight each have new vulnerabilities disclosed and new critical patches released almost every month; and this has been going on for years. To put it bluntly: If every month of every year yields a new set of patches that address new high risks, then these plugins are not safe for everyday use. |
Mitigation | Rational |
---|---|
Patch |
Many types of malware exploit vulnerabilities in your computer software. Having up-to-date software prevents the spread of viruses and worms.
Web browsers and email systems are particularly vulnerable to malware attacks. These applications receive data from the Internet and automatically run commands. Be sure that your browser and email programs are up-to-date. |
Disable |
Browser plugins provide additional functionality, but also provide footholds for malware. If you do not need the additional functionality, then turn it off.
For example, most web sites require JavaScript, so you should probably leave JavaScript turned on. However, very few web sites require Java (Java is not the same as JavaScript). Java has a large number of known vulnerabilities that put your system at risk. Unless you have a specific need to have Java enabled, you should keep it turned off. The same goes for Adobe's Flash, Microsoft's Silverlight, and most other plugins.
|
Anti-virus |
Anti-virus software looks for malware signatures and takes steps to mitigate infection. Some anti-virus systems perform real-time scans in order to immediately detect and prevent infections. However, new malware comes out daily. Make sure your anti-virus signatures are updated often.
Most anti-virus tools are reactive and not proactive. They only detect malware that they know about. Surveys have repeatedly shown that most anti-virus systems only detect about 70% of the computer viruses out there, and most anti-virus software detect less than 60% of new malware. In 2008, the CEO of anti-virus vendor Trend Micro, Eva Chen, declared: "I've been feeling that the anti-virus industry sucks. If you have 5.5 million new viruses out there how can you claim this industry is doing the right job?" Simply having an anti-virus system is not enough. You need to regularly update the anti-virus database and practice good online habits. |
Stranger danger |
Do not open emails from unknown people. Do not open unexpected attachments.
Trojans often appear as unexpected attachments or as emails from strangers. The simple act of opening the email or viewing the attachment could be enough to trigger an infection. When in doubt, just delete. |
Beware of ads |
Online ads may appear temping, but be careful: some online offers are designed to infect your system.
|
Public problems |
Public computers and free wireless networks are more likely to be infected or hostile. Do not use public systems for private communications.
Just as a cold or flu can hang around on public surfaces, like doorknobs and faucets, a computer virus can be easily spread among public computer systems. One user may infect the public computer, and the next user will pick up the infection. Public wireless networks are equally risky. If your computer has an unpatched vulnerability, then another computer on the public network may transmit a worm to your system. In addition, hostile systems on the public network may attempt to intercept your network connections. Relying on "HTTPS" to protect your network connection is not enough. Never access anything that requires a login (such as your bank account, Facebook, or Twitter) from a public wireless network. |
Share safely |
Beware of sharing USB thumbdrives. Never use a CD-ROM or DVD that comes from an unknown source.
If you put a clean USB drive into an infected computer, then the USB drive may become infected immediately. (That's what viruses do!) If you then put the infected drive in your computer, then your computer will become infected. Always check media, such as thumbdrives, CD-ROMs, and DVDs, with an anti-virus scanner before you use them. |
Browse safely |
Watch out for sites that require you to install software, enable Java, or disable your anti-virus or ad-blocker.
Some web sites require you to install unknown software, or to weaken your defenses by turning off your anti-virus or disabling ad-blockers. If you see this, then get away from that site as fast as possible. A safe web site should never tell you to do something unsafe. |
Avoid bad habits |
If you find yourself clicking a series of popup confirmation windows ("Yes", "Yes", "Yes"...) then you are probably infected.
Regular software rarely requires multiple confirmations. In constrast, malware usually triggers alerts, causing a series of "Are you sure?" prompts and popup confirmations. |
Watch out |
Keep an eye out for unexpected behavior. If your computer suddenly starts doing something new (and annoying), then it could be an indication of a malware infection.
If your computer is suddenly running very slow, windows keep popping up, applications randomly open and close rapidly in the background, or new programs (that you don't recognize) start appearing on your taskbar, then your computer is probably infected with something. Don't ignore a computer infection. It won't go away and it won't get better over time. |